CIS Debian 12 Hardening on an Anubiz VPS
If you provisioned your Anubiz VPS with the Debian 12 template instead of Ubuntu 24.04, the CIS Debian Benchmark applies the same conceptual controls with slightly different package names and paths. This guide tracks the Ubuntu CIS walkthrough but with Debian-correct commands and notes where the cloud image's choices differ from upstream Debian.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Why Debian Instead of Ubuntu
Smaller default package set, no snapd, longer LTS predictability. Trade-off: ssg-debian profile is less actively maintained than ssg-ubuntu.
Step 1: Repository Discipline
CIS demands only signed repos. The cloud image is fine. Add backports only if needed for a specific package.
Step 2: sshd, sysctl, auditd
Same controls as Ubuntu - paths identical. Confirm sshd_config.d drop-in support (Debian 12 has it). Auditd available via apt install auditd.
Step 3: AppArmor
AppArmor not enforcing by default on Debian 12 cloud image. aa-enforce /etc/apparmor.d/*. CIS demands enforcing on at least sshd, named, dovecot if present.
Step 4: pam_pwquality
Not installed by default. apt install libpam-pwquality then configure /etc/security/pwquality.conf.
Step 5: Scoring
OpenSCAP with ssg-debian DataStream. oscap xccdf eval --profile cis ssg-debian12-ds.xml.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.